http://www.securityfocus.com/archive/1/251418/2002-01-15/2002-01-21/0 Looks like another way of triggering the bug, IMO. Philippe Biondi wrote: > ---------------------------------------------------------------------- > Cartel Sécurité --- Security Advisory > > Advisory Number: CARTSA-20030314 > Subject: Linux 2.0 remote info leak from too big icmp citation > Author: Philippe Biondi <biondi@cartel-securite.fr> > Discovered: March 14, 2003 > Published: June 9, 2003 > CERT reference: VU#471084 (http://www.kb.cert.org/vuls/id/471084) > ---------------------------------------------------------------------- > > You can use this URL to link this document : > http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt > > > Problem description > =================== > > There is a bug in the way linux 2.0 kernel IP stack computes the size of an > ICMP citation for almost every ICMP errors. This leads to too much data being > sent on the network, coming from anywhere in the memory. > > This is a very important leak. Experiments show that even passwords can > be stolen. Moreover, you can do this from anywere on the internet, as soon > as you can send IP packets to the vulnerable host (except special firewalling). > > The typical case is when you use a linux 2.0 box (or, more probably, > any appliance that uses it) as a masquerading gateway for internet and > DMZ. In this configuration, the gateway can be used to leak potentially > all your traffic from your LAN, even your POP passwords for > the mail server in the DMZ. > > > Vulnerable products > =================== > > Any 2.0 linux kernel before 2.0.39 (2.0.39 included) > Watchguard Firebox II > > Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39 > > > A tester can be found here (no guarantee though) : > http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py > > Vulnerable: > # ./icmpleaktest.py 192.168.11.2 > Packet sent. Answer should take 31s. Interrupt with C-c > Got '\x95\x03\x1a\x10Ji\xfb\xba\xd0\xc5Q\x14\x877\xbd\x8a;\xb3^\x7f' > > Not vulnerable: > # ./icmpleaktest.py 172.16.1.40 > Packet sent. Answer should take 31s. Interrupt with C-c > Got '' > > > Vendor status > ============= > > Linux 2.0.40 should be out soon. I was under the impression they would have fixed it earlier. That said, I wouldn't be surprised. > Watchguard said updated releases will follow. > > These vendors said they are not vulnerable : > * Netscreen > * Symantec > * Novell > * Clavister > * Ingrian > * StoneSoft > * Sun > > > Solutions > ========= > > * patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch > (No guarantee) > * exchange your old appliance by a brand new linux 2.4/netfilter > > > Workarounds > =========== > > No good workarrounds. But you can at least carefully try these : > * truncate ICMP errors at the RFC limit, > * filter out icmp errors > > > Example > ======= > > We can send an IP packet with the MF flag : > > 15:41:05 192.168.0.12.80 > 192.168.0.10.80: udp 4 (frag 52007:12@0+) > 0x0000 4500 0020 cb27 2000 4011 0e3f c0a8 000c E....'..@..?.... > 0x0010 c0a8 000a 0050 0050 000c cd1e 5858 5858 .....P.P....XXXX > > we wait 30s for the reassembly to timeout : > > 15:41:35 192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0] > 0x0000 45c0 0050 dcca 0000 4001 1bbc c0a8 000a E..P....@....... > 0x0010 c0a8 000c 0b01 aa24 0000 0000 4500 0020 .......$....E... > 0x0020 cb27 2000 4011 0e3f c0a8 000c c0a8 000a .'..@..?........ > 0x0030 0050 0050 000c cd1e 5858 5858 .P.P....XXXX > 0050 0050 .P.P > 0x0040 000c cd1e 5858 5858 207b 2d68 0000 0000 ....XXXX.{-h.... > > > Bytes at offsets 0x3c to 0x4f are bonus. > It works with every ICMP errors except the port unreachable error. > It is possible to increase the size of data leaked by adding IP options. > > > Examples of bonus bytes : > > 98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00 .....X..1234..U. > 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00 .........X...... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03 X............X.. > 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46 information.MINF > 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03 ..........U..... > 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... > 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72 .0.%u.in-addr.ar > 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F C_MONETARY.LC_CO > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00 ................ > 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00 ....._.......... > 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E sinl..gnu.warnin > 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40 p..@`..@...@...@ > 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00 h...AF..g...AL.. > FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00 ............J... > 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F age-return.SI.SO > 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F ash.zero.one.two > 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00 ................ > 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00 ....-........... > 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00 L.......M....... > 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00 ....l.......m... > 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47 LC_ALL.LC_MESSAG > > > ---------------------------------------------------------------------- > Copyright (c) Cartel Sécurité > This document is copyrighted. It can't be edited nor republished > without explicit consent of Cartel Sécurité. > For more informations, feel free to contact us. > http://www.cartel-securite.fr/ > ---------------------------------------------------------------------- > Sincerely, Andrew Griffiths -- <Kahless> geez, u climb the highest mountain, netstumble the highest mast, but you suck one cock........ <Clonefish> No thanks <Kahless> hey, it wasn't an invitation........ <RokLobsta> or you help luigi build his house, guiseppe to get his business going and you save the town from a meteor, but you fuck one goat.... <Kahless> that's the one <Clonefish> Mmmmkay..... <swarm> um <swarm> next topic plz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 02:13:37 PDT